Prevent vendor_init from using binder or sockets am: a099830e

am: 40e15ab3

Change-Id: I486933e6d02f1905c31c336d12ee4e5bf9802d95

public/domain.te

@@ -389,6 +389,7 @@ neverallow * init:process ptrace;
 # Init can't do anything with binder calls. If this neverallow rule is being
 # triggered, it's probably due to a service with no SELinux domain.
 neverallow * init:binder *;
+neverallow * vendor_init:binder *;
 
 # Don't allow raw read/write/open access to block_device
 # Rather force a relabel to a more specific type

public/servicemanager.te

@@ -12,6 +12,7 @@ allow servicemanager self:binder set_context_mgr;
 allow servicemanager {
   domain
   -init
+  -vendor_init
   -hwservicemanager
   -vndservicemanager
 }:binder transfer;

public/vendor_init.te

@@ -4,6 +4,9 @@ type vendor_init, domain, mlstrustedsubject;
 # Communication to the main init process
 allow vendor_init init:unix_stream_socket { read write };
 
+# Vendor init shouldn't communicate with any vendor process, nor most system processes.
+neverallow_establish_socket_comms(vendor_init, { domain -init -logd -su -vendor_init });
+
 # Logging to kmsg
 allow vendor_init kmsg_device:chr_file { open write };
 

vendor/vndservicemanager.te

@@ -6,7 +6,7 @@ init_daemon_domain(vndservicemanager);
 allow vndservicemanager self:binder set_context_mgr;
 
 # transfer binder objects to other processes (TODO b/35870313 limit this to vendor-only)
-allow vndservicemanager { domain -coredomain -init }:binder transfer;
+allow vndservicemanager { domain -coredomain -init -vendor_init }:binder transfer;
 
 allow vndservicemanager vndbinder_device:chr_file rw_file_perms;